You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-dev@james.apache.org by "Antoine Duprat (JIRA)" <se...@james.apache.org> on 2017/09/20 12:42:00 UTC
[jira] [Closed] (JAMES-2144) As an attacker I can overwrite JMAP
attachment ContentType
[ https://issues.apache.org/jira/browse/JAMES-2144?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Antoine Duprat closed JAMES-2144.
---------------------------------
> As an attacker I can overwrite JMAP attachment ContentType
> ----------------------------------------------------------
>
> Key: JAMES-2144
> URL: https://issues.apache.org/jira/browse/JAMES-2144
> Project: James Server
> Issue Type: Bug
> Components: JMAP
> Reporter: Antoine Duprat
> Assignee: Antoine Duprat
>
> Action: As an attacker I can overwrite JMAP attachment ContentType in anyone mailbox.
> Access required:
> None (sending a mail)
> Exact content of the attachment whose ContentType to be replaced
> Cause of the vulnerability: The content-type is not taken into account in the AttachmentId computation. Only content is. Hence sending the same message two time with different content type will result in a single attachment being stored, hence a content-type overwrite.
> Exemple of exploit:
> usera sends a PDF to various persons.
> I receive it.
> I send the same PDF to myself, but with Content-Type text/plain.
> The Content-Type of the attachment is now changed for each persons.
> Fixing it:
> We will change the AttachmentId computation algorithm to take into account content-type. Different content type will mean different attachmentId and thus no content-type overwrite.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org